draft-ietf-oauth-mtls-06.txt   draft-ietf-oauth-mtls-07.txt 
OAuth Working Group B. Campbell OAuth Working Group B. Campbell
Internet-Draft Ping Identity Internet-Draft Ping Identity
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: July 19, 2018 Yubico Expires: August 2, 2018 Yubico
N. Sakimura N. Sakimura
Nomura Research Institute Nomura Research Institute
T. Lodderstedt T. Lodderstedt
YES Europe AG YES Europe AG
January 15, 2018 January 29, 2018
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access
Tokens Tokens
draft-ietf-oauth-mtls-06 draft-ietf-oauth-mtls-07
Abstract Abstract
This document describes Transport Layer Security (TLS) mutual This document describes Transport Layer Security (TLS) mutual
authentication using X.509 certificates as a mechanism for OAuth authentication using X.509 certificates as a mechanism for OAuth
client authentication to the authorization sever as well as for client authentication to the authorization sever as well as for
certificate bound sender constrained access tokens as a method for a certificate bound sender constrained access tokens as a method for a
protected resource to ensure that an access token presented to it by protected resource to ensure that an access token presented to it by
a given client was issued to that client by the authorization server. a given client was issued to that client by the authorization server.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 19, 2018. This Internet-Draft will expire on August 2, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 45 skipping to change at page 3, line 45
access tokens or replay of access tokens by unauthorized parties. access tokens or replay of access tokens by unauthorized parties.
Mutual TLS sender constrained access tokens and mutual TLS client Mutual TLS sender constrained access tokens and mutual TLS client
authentication are distinct mechanisms, which are complementary but authentication are distinct mechanisms, which are complementary but
don't necessarily need to be deployed together. don't necessarily need to be deployed together.
1.1. Requirements Notation and Conventions 1.1. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in BCP
2119 [RFC2119]. 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology 1.2. Terminology
This specification uses the following phrases interchangeably: This specification uses the following phrases interchangeably:
Transport Layer Security (TLS) Mutual Authentication Transport Layer Security (TLS) Mutual Authentication
Mutual TLS Mutual TLS
These phrases all refer to the process whereby a client presents its These phrases all refer to the process whereby a client presents its
skipping to change at page 16, line 5 skipping to change at page 16, line 5
[RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
RFC 7591, DOI 10.17487/RFC7591, July 2015, RFC 7591, DOI 10.17487/RFC7591, July 2015,
<https://www.rfc-editor.org/info/rfc7591>. <https://www.rfc-editor.org/info/rfc7591>.
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection", [RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662, October 2015, RFC 7662, DOI 10.17487/RFC7662, October 2015,
<https://www.rfc-editor.org/info/rfc7662>. <https://www.rfc-editor.org/info/rfc7662>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Appendix A. Relationship to Token Binding Appendix A. Relationship to Token Binding
OAuth 2.0 Token Binding [I-D.ietf-oauth-token-binding] enables the OAuth 2.0 Token Binding [I-D.ietf-oauth-token-binding] enables the
application of Token Binding to the various artifacts and tokens application of Token Binding to the various artifacts and tokens
employed throughout OAuth. That includes binding of an access token employed throughout OAuth. That includes binding of an access token
to a Token Binding key, which bears some similarities in motivation to a Token Binding key, which bears some similarities in motivation
and design to the mutual TLS sender constrained resources access and design to the mutual TLS sender constrained resources access
defined in this document. Both documents define what is often called defined in this document. Both documents define what is often called
a proof-of-possession security mechanism for access tokens, whereby a a proof-of-possession security mechanism for access tokens, whereby a
client must demonstrate possession of cryptographic keying material client must demonstrate possession of cryptographic keying material
skipping to change at page 17, line 11 skipping to change at page 17, line 16
for their input and contributions to the specification: Sergey for their input and contributions to the specification: Sergey
Beryozkin, Vladimir Dzhuvinov, Samuel Erdtman, Leif Johansson, Phil Beryozkin, Vladimir Dzhuvinov, Samuel Erdtman, Leif Johansson, Phil
Hunt, Takahiko Kawasaki, Sean Leonard, Kepeng Li, James Manger, Jim Hunt, Takahiko Kawasaki, Sean Leonard, Kepeng Li, James Manger, Jim
Manico, Nov Matake, Sascha Preibisch, Justin Richer, Dave Tonge, and Manico, Nov Matake, Sascha Preibisch, Justin Richer, Dave Tonge, and
Hannes Tschofenig. Hannes Tschofenig.
Appendix C. Document(s) History Appendix C. Document(s) History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
draft-ietf-oauth-mtls-07
o Update to use the boilerplate from RFC 8174
draft-ietf-oauth-mtls-06 draft-ietf-oauth-mtls-06
o Add an appendix section describing the relationship of this o Add an appendix section describing the relationship of this
document to OAuth Token Binding as requested during the the document to OAuth Token Binding as requested during the the
Singapore meeting https://datatracker.ietf.org/doc/minutes- Singapore meeting https://datatracker.ietf.org/doc/minutes-
100-oauth/ 100-oauth/
o Add an explicit note that the implicit flow is not supported for o Add an explicit note that the implicit flow is not supported for
obtaining certificate bound access tokens as discussed at the obtaining certificate bound access tokens as discussed at the
Singapore meeting https://datatracker.ietf.org/doc/minutes- Singapore meeting https://datatracker.ietf.org/doc/minutes-
100-oauth/ 100-oauth/
skipping to change at page 18, line 44 skipping to change at page 19, line 4
U46UMEh8XIOQnvXY9pHFq1MKPns U46UMEh8XIOQnvXY9pHFq1MKPns
o Changed the title (hopefully "Mutual TLS Profile for OAuth 2.0" is o Changed the title (hopefully "Mutual TLS Profile for OAuth 2.0" is
better than "Mutual TLS Profiles for OAuth Clients"). better than "Mutual TLS Profiles for OAuth Clients").
draft-ietf-oauth-mtls-01 draft-ietf-oauth-mtls-01
o Added more explicit details of using RFC 7662 token introspection o Added more explicit details of using RFC 7662 token introspection
with mutual TLS sender constrained access tokens. with mutual TLS sender constrained access tokens.
o Added an IANA OAuth Token Introspection Response Registration o Added an IANA OAuth Token Introspection Response Registration
request for "cnf". request for "cnf".
o Specify that tls_client_auth_subject_dn and o Specify that tls_client_auth_subject_dn and
tls_client_auth_root_dn are RFC 4514 String Representation of tls_client_auth_root_dn are RFC 4514 String Representation of
Distinguished Names. Distinguished Names.
o Changed tls_client_auth_issuer_dn to tls_client_auth_root_dn. o Changed tls_client_auth_issuer_dn to tls_client_auth_root_dn.
o Changed the text in the Section 3 to not be specific about using a o Changed the text in the Section 3 to not be specific about using a
hash of the cert. hash of the cert.
o Changed the abbreviated title to 'OAuth Mutual TLS' (previously o Changed the abbreviated title to 'OAuth Mutual TLS' (previously
was the acronym MTLSPOC). was the acronym MTLSPOC).
draft-ietf-oauth-mtls-00
o Created the initial working group version from draft-campbell- o Created the initial working group version from draft-campbell-
oauth-mtls oauth-mtls
draft-campbell-oauth-mtls-01 draft-campbell-oauth-mtls-01
o Fix some typos. o Fix some typos.
o Add to the acknowledgements list. o Add to the acknowledgements list.
draft-campbell-oauth-mtls-00 draft-campbell-oauth-mtls-00
 End of changes. 9 change blocks. 
6 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/